During a recent webinar, I was asked whether having a highly flexible and integratable Software Configuration Management (SCM) tool in the software delivery pipeline was important. Without a doubt, the answer is yes; you want as much control as possible over how your software is configured because keeping track of and tightly controlling changes is so important for quality, compliance, and security. But the question really touches on a much larger topic, and that’s ensuring that security is integrated into every part of your pipeline. Leaving it as an afterthought is a risk you cannot afford.
That’s why you’re probably hearing a lot about one of the hottest topics in DevOps right now: DevSecOps. And with experts such as Gene Kim talking about the importance of integrating security into the daily work of Development and Operations, there’s no time better than now to start thinking about DevSecOps for your organization.
DevSecOps—Shifting Security Left
Generally speaking, DevSecOps refers to shifting security left in your software delivery chain. It involves making cultural and process changes around security that incorporate automated security and testing across the release pipeline. Secure release pipelines encompass all phases of testing, including static code analysis, functional testing, API validation, vulnerability analysis, and even penetration testing.
Derek Weeks of Sonatype summarizes DevSecOps well when he says that security moves from a “bolt-on practice at the end of a software delivery lifecycle to one built-in that is consumed like a service, thereby empowering development and operations teams to improve and iterate component choices instantly.”
Why should you integrate security across your entire pipeline? One reason is that there’s been a huge increase in the number of companies using open source tools, cloud, and the Internet. Fortunately, there are organizations out there to help you protect yourself. The Open Web Application Security Project (OWASP), for example, regularly updates its list of the top ten security risks, known as the “OWASP Top Ten.” Additionally, the Center for Internet Security (CIS) provides great guidance for internet controls.
If you’re in a highly regulated industry, security controls aren’t the only thing you need to think about. Built-in compliance checks are requisite in industries like healthcare (see HIPPA) and financial services (see Gramm-Leach-Bliley Act, AML, and PCI DSS). Plus, on May 25, 2018, the European Union will begin enforcing the General Data Protection Act, or GDPR.
In summary, compliance requirements are only going to increase. And, with the acceleration of software development, the ability to track developed code and trace requirements to that code (and ultimately to the deployed artifact), will be a must. This is critical for open source, because when a new vulnerability is identified, you need to know where it’s being used and how it’s configured so you can quickly remediate.
Understanding Your Chain of Custody
Whether you’re using open source or commercial DevOps tools, it’s vital that you have full control over and visibility into your pipeline, so that when you deploy to production environments, you can access your “chain of custody” at all times.
Chain of custody in software development refers to knowing the status of a release at any given moment: what’s in the release, what the components are, how they’re configured, who configured them, what gates have been successfully navigated, and which requirement the code derives from. You need to know the chain of custody of every release, so that if you’re ever in a situation where you must recreate or provide evidence in a discovery situation, you can be 100% certain that the information is correct. The information must be immutable and must provide the level of detail required to satisfy audit and regulatory requirements.
In the old days, all this tracking was done post-deployment using discovery mechanisms in production environments. But, since discovery-type tools after the fact are expensive, time-consuming, and inaccurate, lucky for us they’re no longer needed.
Today, you can use an Application Release Automation (ARA) tool to implement a Continuous Delivery pipeline that’s consistent, repeatable, and trackable, so that your chain of custody is at your fingertips the moment you, your auditors, or your regulators demand it, in a format that’s immediately consumable. Further, an ARA tool gives you immediate insight into and control over your end-to-end pipeline, documenting, logging, and reporting on every step in the process, while automating and standardizing your deployments.
Most importantly, with ARA, release processes automatically enforce compliance policies and requirements for mitigating organizational risk, so teams can focus on releasing software quickly. The enforcement of good security practices embedded within your release processes reduces the attack surface, while delivering the insights required for rapid remediation of vulnerabilities.
In short, chain of custody, which ARA makes possible, not only allows you to meet organizational mandates, it gives DevOps teams the insight they need to deliver faster with better quality.